I implemented an ASP.NET application using Integrated Windows Authentication, running in IIS 6.0 (Win2003Server). Some users want to run the application using a logon that differs from the one they use for their workstation. How can I offer the users an optional login (such as a button "Use current account" / "Use alternative account") on the same application?

By combining ASP.NET, IIS 6.0 and Integrated Windows Authentication, you have implemented a very secure method for authenticating users to your application. Users are authenticated based on their Windows NT Domain or Active Directory account credentials, and no passwords being sent across the network.

To allow users to logon to your application with a different user name from the one they use for the workstation...

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

you will need to use ASP.NET impersonation and create a customized impersonation solution. With ASP.NET impersonation, IIS is responsible for authenticating users against the domain and passing on to ASP.NET an authenticated token, which can then act on behalf of the client. The main purpose of ASP.NET impersonation is to allow the ASP.NET execution engine to execute code in the context of an authenticated and authorized client instead of using the same user account as the ASP.NET process, which is typically the ASP.NET account.

Your changed user solution will need to:

Authenticate the user against your domain

Create a new System.Security.Principal.WindowsIdentity instance that represents the user's account

Impersonate the new Windows identity

Stop impersonating and revert back to the user logged on to the machine

To provide users with a logon choice you can use the Win32 LogonUser API call. This will try to authenticate an account to your Windows domain using the security credentials that are passed to it. As you suggest, you can also have a button that calls this function with the rest of your code and allow users to logon to your application as a different user. If the logon is successful, LogonUser returns true and passes a token handle back to IIS that represents the authenticated user to impersonate. Now that you have a token representing your authenticated user, you need to create an instance of WindowsIdentity which implements the System.Security.Principal.IIdentity interface and is used to represent a Windows user in a .NET application. To create a WindowsIdentity instance, pass the token handle received from the LogonUser to the WindowsIdentity constructor, WindowsIdentity.Impersonate(). WindowsIdentity.Impersonate() will return a System.Security.Principal.WindowsImpersonationContext instance, which represents a Windows user. Finally, to terminate the impersonation call the WindowsImpersonationContext.Undo() method.

As you can see, this not a trivial undertaking and will require careful testing to ensure that your overall security is not weakened. Another option is to consider using Certificate Authentication, whereby client certificates are mapped to Windows accounts in either a Domain or Active Directory. By issuing users digital certificates stored on a token, such as a USB key, they can authenticate themselves by inserting the token when requested by the application. By using the Windows Authentication Provider in ASP.NET your application will run as the user to which the certificate is mapped. However, the costs of issuing and managing client certificates can be high and may not be appropriate if the data being accessed is not particularly sensitive.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy